Solved

Cisco 857 and Sonicwall NSA 2600 VPN

Posted on 2014-01-27
4
1,057 Views
Last Modified: 2014-02-20
I am trying to set up VPN through my NSA 2600, from an iPad, the NSA is connected to he 857 which is connected to the internet.

I have applied the following to my Cisco Router

ip nat inside source static tcp 192.168.10.104 1701 interface ATM0.1 1701
ip nat inside source static udp 192.168.10.104 500 interface ATM0.1 500
ip nat inside source static udp 192.168.10.104 5500 interface ATM0.1 5500
ip nat inside source static udp 192.168.10.104 1701 interface ATM0.1 1701

On the sonicwall I have.....

Enabled VPN
Enabled "WAN GroupVPN"
Authentication IKE with pre shared Secret
Proposals as Default
Created a group in AD called VPN Users, added myself to it, selected that group for Xauth (I use RADIUS with ldap to authenticate users)
Clicked set default root as this gateway.

Now when I am trying to VPN in I get these errors

1      UTC 01/27/2014 16:32:37.496      Debug      VPN IKE      SENDING>>>> ISAKMP OAK MM (InitCookie:0xb731b6b79cde278f RespCookie:0x2664a834586237a6, MsgID: 0x0) (KE, NATD, NATD, NON, VID, VID, VID)      192.168.10.104, 500      xx.xx.xx.xx, 500, host-xx.xx.xx.xx.dslgb.com      VPN Policy: WAN GroupVPN              
2      UTC 01/27/2014 16:32:37.496      Info      VPN IKE      NAT Discovery : Peer IPSec Security Gateway behind a NAT/NAPT Device                                   
3      UTC 01/27/2014 16:32:37.496      Info      VPN IKE      NAT Discovery : Local IPSec Security Gateway behind a NAT/NAPT Device                                   
4      UTC 01/27/2014 16:32:37.496      Debug      VPN IKE      RECEIVED<<< ISAKMP OAK MM (InitCookie:0xb731b6b79cde278f RespCookie:0x2664a834586237a6, MsgID: 0x0) (KE, NON, NATD, NATD)      xx.xx.xx.xx, 500, host-xx.xx.xx.xx.dslgb.com      192.168.10.104, 500      VPN Policy: WAN GroupVPN              
5      UTC 01/27/2014 16:32:37.400      Debug      VPN IKE      SENDING>>>> ISAKMP OAK MM (InitCookie:0xb731b6b79cde278f RespCookie:0x2664a834586237a6, MsgID: 0x0) (SA, VID, VID)      192.168.10.104, 500      xx.xx.xx.xx, 500, host-xx.xx.xx.xx.dslgb.com      VPN Policy: WAN GroupVPN              
6      UTC 01/27/2014 16:32:37.400      Info      VPN IKE      IKE Responder: Received Main Mode request (Phase 1)      xx.xx.xx.xx, 500, host-xx.xx.xx.xx.dslgb.com      192.168.10.104, 500                     
7      UTC 01/27/2014 16:32:37.400      Debug      VPN IKE      RECEIVED<<< ISAKMP OAK MM (InitCookie:0xb731b6b79cde278f RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID, VID, VID, VID, VID, VID, VID, VID, VID)      xx.xx.xx.xx, 500, host-xx.xx.xx.xx.dslgb.com      192.168.10.104, 500


This is from an Ipad using L2tp VPN

Does anyone know what I can do to resolve this issue please.
0
Comment
Question by:CaptainGiblets
  • 2
4 Comments
 
LVL 8

Expert Comment

by:amatson78
ID: 39813072
If this is for a client connection curious why you are trying to setup a site to site VPN as it looks in your configs? You would want to use a client VPN setup not a site to site. Also the iPad has SSL VPN app have you tried using that which is way more intuitive?

http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/A_8751-SonicWALL-SSL-VPN-application-for-iPhone-iPad-iPod-Touch.html
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 39814746
I have set up SSL-VPN but I only have 2 licences. I can always look at getting more but I am still having problems getting my VPN users out to the internet. They can get on internal things with the VPN set up and I have enabled Tunnel All.

However when I try to browse the internet I get the message

1      UTC 01/28/2014 11:57:39.320      Info      SSLVPN      SSLVPN Traffic      192.168.17.221, 49760, X0 dan james      192.168.16.200, 53                     
2      UTC 01/28/2014 11:55:13.912      Notice      Network Access      Web access request dropped      192.168.17.221, 49842, X0      67.203.139.148, 80, X1, whatismyipaddress.com      HTTP

I have set up a NAT between the SSLVPN and External
22      SSLVPN IP Pool      X1 IP      Any      Original      Any      Original      X0      X1      22            Enabled

And under firewall access rules I have this

      SSLVPN      >      WAN      1      SSLVPN IP Pool      Any      Any      Allow      All      None                                         Enabled        Edit this entry A service depends on this rule
 27      SSLVPN      >      WAN      2      Any      Any      Any      Allow      All      None                                                Edit this entry Delete this entry

What am I missing for SSLVPN external access?
0
 
LVL 24

Accepted Solution

by:
diverseit earned 500 total points
ID: 39843867
Hi CaptainGiblets,

NetExtender in Tunnel All mode forces all traffic to be routed over the SSL-VPN adapter. To allow your end users access to internet over the UTM-SSLVPN, you will need to allow “WAN RemoteAccess Networks” (a network address object whose value 0.0.0.0 acts like a default route), and the Tunnel All option must be selected on the Client Routes page.  The method below is appropriate when the administrator wants all of their NetExtender users to have their internet access provided through the SSL-VPN otherwise disable Tunnel All mode.  Be sure that you are not overwhelming the internet bandwidth at the location where the firewall is installed, as this traffic will be added to the other loads from inside the network.
Step 1: On the SonicWALL, go to SSL-VPN > Client Routes screen, enable the Tunnel All option in the drop down menu.

Step 2: On the Users > Local Groups screen, configure SSLVPN Services group and under tab “VPN Access,” add the object WAN RemoteAccess Networks.

Step 3: No custom rules are needed on the Firewall > Access Rules screen for this to work.  You can see auto-added rules in the section SSLVPN to WAN.
Let me know if you have any questions!
0
 
LVL 24

Expert Comment

by:diverseit
ID: 39847278
Have you tried my solution yet? (http:#a39843867)
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now